mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.

Submitted by: sf
Reviewed by: trawick, wrowe

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1092246 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 2388088e8d40d21c3163993a3c896cc654aa17c7..81e439a11cc84228345d082b81409047a1309899 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.18
 
+  *) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
+     [Stefan Fritsch]
+
   *) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes
      in request URL path info but not decode them. PR 35256,
      PR 46830.  [Dan Poirier]

diff --git a/STATUS b/STATUS
index 84616f5bd3ca0c990a522b6bb6abb9ae2160756b..cb63faa6e2e78d697ae0fe100d8df2c2f331e9d3 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -96,12 +96,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
      2.2.x patch: Trunk version of patch works with fuzz
      +1: sf, trawick, wrowe
 
-  * mod_ssl/ab: Support OpenSSL compiled without SSLv2 support
-     Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1090367
-     2.2.x patch: http://people.apache.org/~sf/support-openssl-without-sslv2.patch
-     +1: sf, trawick, wrowe
-
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 

diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index d800bb6d36d4758ad9a4dfc4effec42c8984a28b..8d3b99d4fc7ee22b6d8c1be01a5c798f44e4681d 100644 (file)
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -1273,6 +1273,11 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms,
         }
 
         if (strcEQ(w, "SSLv2")) {
+#ifdef OPENSSL_NO_SSL2
+            if (action != '-') {
+                return "SSLv2 not supported by this version of OpenSSL";
+            }
+#endif
             thisopt = SSL_PROTOCOL_SSLV2;
         }
         else if (strcEQ(w, "SSLv3")) {

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index e97a1051997312083780d713f1a543b1f8026e09..34535410b8cfde422ed850c22eb7bba252f9884d 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -465,13 +465,16 @@ static void ssl_init_ctx_protocol(server_rec *s,
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
                  "Creating new SSL context (protocols: %s)", cp);
 
+#ifndef OPENSSL_NO_SSL2
     if (protocol == SSL_PROTOCOL_SSLV2) {
         method = mctx->pkp ?
             SSLv2_client_method() : /* proxy */
             SSLv2_server_method();  /* server */
         ctx = SSL_CTX_new(method);  /* only SSLv2 is left */
     }
-    else {
+    else
+#endif
+    {
         method = mctx->pkp ?
             SSLv23_client_method() : /* proxy */
             SSLv23_server_method();  /* server */

diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index af6d0f7259b3622f4642921046bbea6841d61bcc..15deb8f1b38472f262edd7ed885d9e73d37d0eb1 100644 (file)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -218,7 +218,11 @@ typedef int ssl_opt_t;
 #define SSL_PROTOCOL_SSLV2 (1<<0)
 #define SSL_PROTOCOL_SSLV3 (1<<1)
 #define SSL_PROTOCOL_TLSV1 (1<<2)
+#ifndef OPENSSL_NO_SSL2
 #define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
+#else
+#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
+#endif
 typedef int ssl_proto_t;
 
 /**

diff --git a/support/ab.c b/support/ab.c
index ce8b209961279cf15db99350623cf50d114058d4..3744864eaf7d0ce0f278f3978fa237c934f76c35 100644 (file)
--- a/support/ab.c
+++ b/support/ab.c
@@ -1876,7 +1876,11 @@ static void usage(const char *progname)
     fprintf(stderr, "    -h              Display usage information (this message)\n");
 #ifdef USE_SSL
     fprintf(stderr, "    -Z ciphersuite  Specify SSL/TLS cipher suite (See openssl ciphers)\n");
+#ifndef OPENSSL_NO_SSL2
     fprintf(stderr, "    -f protocol     Specify SSL/TLS protocol (SSL2, SSL3, TLS1, or ALL)\n");
+#else
+    fprintf(stderr, "    -f protocol     Specify SSL/TLS protocol (SSL3, TLS1, or ALL)\n");
+#endif
 #endif
     exit(EINVAL);
 }
@@ -2209,8 +2213,10 @@ int main(int argc, const char * const argv[])
             case 'f':
                 if (strncasecmp(optarg, "ALL", 3) == 0) {
                     meth = SSLv23_client_method();
+#ifndef OPENSSL_NO_SSL2
                 } else if (strncasecmp(optarg, "SSL2", 4) == 0) {
                     meth = SSLv2_client_method();
+#endif
                 } else if (strncasecmp(optarg, "SSL3", 4) == 0) {
                     meth = SSLv3_client_method();
                 } else if (strncasecmp(optarg, "TLS1", 4) == 0) {